Unbound Configuration Advice

AyanZ · February 24, 2026, 7:08am

Hii, I want to try Unbound again after switching my ISP (Transworld) because the last ISP (Cybernet) I had messed with DNSSEC and it wouldn't work so I had to use Unbound without it for Recursive Mode.

I'm behind CGNAT and my WAN IP and the Public IP Address changes as well on every restart with the Transworld ISP

Right now I have AdGuard Home installed as well as my main dns server to block ads and want to use Unbound as the main Upstream DNS Server is this a good idea?

This is my configuration file that I made up any Improvements, Addition or Subtraction??

/etc/config/unbound - UCI Config

config unbound 'ub_main'
    # --- OS & Startup ---
    option enabled '1'
    option manual_conf '0'
    option verbosity '1'
    
    # --- Network Basics ---
    option interface_auto '1'
    option listen_port '5335'
    option localservice '1'
    option validator '1'
    
    # --- Files & Paths ---
    option root_hints '/etc/unbound/root.hints'
    
    # --- Stats ---
    option unbound_control '1'
    option extended_stats '1'

    # --- Access Control ---
    list access_control '127.0.0.0/8 allow'
    list access_control '192.168.0.0/16 allow'
    list access_control '10.0.0.0/8 allow'
    list private_address '192.168.0.0/16'
    list private_address '172.16.0.0/12'
    list private_address '10.0.0.0/8'

/etc/unbound/unbound_srv_conf - Server Config
I used this document to make my config

https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html

# ==========================================
#   UNBOUND SERVER MASTER CONFIGURATION
# ==========================================

# --- 1. IP & Network Settings ---
do-ip6: no
do-ip4: yes
prefer-ip4: yes

# --- 2. 4-Core CPU Tuning (Orbi RBR50) ---
num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

# --- 3. Connection Limits ---
outgoing-range: 4096
num-queries-per-thread: 2048

# --- 4. Network Buffers ---
so-rcvbuf: 4m
so-sndbuf: 4m
so-reuseport: yes

# --- 5. Memory & Cache Sizes ---
msg-cache-size: 32m
rrset-cache-size: 64m
infra-cache-numhosts: 10000

# --- 6. Caching Behavior & Speed ---
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
serve-expired-client-timeout: 1024
cache-min-ttl: 0
cache-max-ttl: 3600
minimal-responses: yes
rrset-roundrobin: yes

# --- 7. Privacy & Security ---
qname-minimisation: yes
unwanted-reply-threshold: 10000000
harden-glue: yes
use-caps-for-id: yes
hide-version: yes
hide-identity: yes

# --- 8. Validation ---
harden-dnssec-stripped: yes
harden-algo-downgrade: yes
harden-short-bufsize: yes

/etc/sysctl.conf

# Increase kernel buffers for Unbound
net.core.rmem_max=4194304
net.core.wmem_max=4194304

anon63541380 · February 24, 2026, 9:02am

Only one config works at a time - either uci or unbound.conf.
agh does dot doh by itelf, little point running full recursive resolver in front.